Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

5 Security Questions For Your Hosting Company

In the past month, our forensic analysts ran into two situations where we saw a significant number of site cleaning customers, all from the same hosting companies, all with the same malware. In both cases the sites were infected due to a hosting company security issue.

We reached out to both of them and provided the relevant information and they were responsive. We won’t be mentioning them by name on the blog.

We have seen a third host this week that is not correctly isolating customer accounts on shared servers. They appear to have a filesystem permissions issue. They haven’t had any problems yet, but it is just a matter of time.

We decided to write a quick post that helps you determine whether your hosting company may be putting you at risk and whether that risk can be mitigated or whether you should consider moving to a new hosting company. We have a great article already on how to choose a WordPress hosting company, but what if you already have one?

The following are questions we think your hosting company should be able to answer.

Are you running up-to-date versions of the following products: CPanel, Operating System, Caching Technology, PHP, phpMyAdmin and MySQL?

The important takeaway here is that the hosting company is actually responsible for a lot. Even if you are managing the security aspects of your website flawlessly, you could still be at risk if your hosting company isn’t holding up their side of the bargain.

One of the hosting companies we referred to earlier in the post was running a version of phpMyAdmin that is almost 2 years old and contains multiple known security vulnerabilities. It was no surprise to us that their customers were getting repeatedly hacked.

You should note that a host may be able to run an older version of software if they use ‘backported’ security fixes. That means they are using old software that has had new security fixes applied. If you do find that they are running an old version of something, ask them if they have applied the latest security fixes.

We are constantly reminding everyone to keep their themes, plugins and WordPress core up to date. Make sure that your hosting company is keeping the rest of your site software up to date as well.

Are you completely isolating hosting accounts from each other? Or is it possible for one hosting account to read files in another account on the same server?

We have seen hosting companies who were not correctly isolating user accounts from each other. That means that if an attacker gets a hosting account at one of these companies, perhaps by using a fraudulent card, they can access files in other hosting accounts.

In one case, an attacker was using an existing hosting account to read the wp-config.php file in other hosting accounts which contains the database server address, username and password. The attacker then simply used their database access to create an admin level user and they had full access to the compromised website in the target hosting account.

You should ask your hosting company if other users on the same server as you can access your account. Users on your server should not be able to access any files in your account. Accounts should be completely isolated.

Are my server logs available and how long are they kept?

When a WordPress website is compromised by an attacker, one of the most important sources of information our forensic team has to determine how the site was hacked are the server logs. Unfortunately we often find that customers with entry-level hosting plans either don’t have access to server logs at all, or that they are retained for such a short amount of time that they aren’t helpful.

We recommend a WordPress hosting plan that gives you immediate access to log files going back at least 24 hours. Ideally you should also have the ability to archive log files that are older than 24 hours, for 30 days.

How are you backing up my site and how long are backups being retained?

The fastest way to recover from a hacked website is by restoring a good backup of your site. Having quick access to a backup of your site can save you time, money and a lot of work. Find out what your hosting company is backing up, how long they are retaining it and where they are storing it.

If you’re on an entry-level hosting plan it is very likely that you will need to augment what your hosting company is already doing. In many cases they may not be doing anything at all.

Does my current hosting plan allow me to enable HTTPS?

In the Introduction to WordPress Security article in our Learning Center we explain why it is crucial to only log into your website via a secure connection. If you aren’t currently logging into your site securely, drop everything you are doing and go fix that right away. An attacker who is listening to your network traffic can steal your username and password, taking control of your website.

There are additional benefits to running https. It will improve your SEO rankings and it will protect any other data you are capturing via forms and payment screens on the rest of your site. We strongly recommend that you run an https-only website if possible.

Conclusion

We hope this post helped bring awareness to some of the hosting-related security issues that you need to stay on top of. Your hosting company plays a critical role in securing your website. Unfortunately not all of them are created equal, so make sure that yours is providing a strong security foundation for your WordPress website.

Would be nice to know if Godaddy was one of them. I use their linux hosting and have had repeated issues with hacking on my wordpress despite all the measures put in place. Somehow they find a way to change either my theme header or some other file and add base64 encoded includes from off-site. I was wondering if they have cross site file permission issues.

GoDaddy was not one of them. I'd never heard of any of the three companies until our site cleaning team told me about the issues. Two out of the three have resolved the issue. The third was only discovered yesterday. We haven't discovered any hacked sites on the third provider yet, we just noticed their permissions are insecure across accounts, so we'll reach out and work with them.

James, I use Godaddy and was just hacked two weeks ago. Cleaned it and got rehacked. I contacted Godaddy about it, and they told me I was on their "old" Linux hosting plan, which uses an old version of PHP that is susceptible to hacking. Would have been nice if they'd told me that BEFORE my site was hacked. They upgraded me to their new Linux hosting plan (which surprisingly costs me less), and my site has been clean since. The hackers are still trying to get in (I can see their failed login attempts with Wordfence), but so far they haven't been able to get in. I'm still working on getting all the bad search results off Google though. I'd suggest contacting Godaddy (I used their chat feature) to see if you're on the newest hosting plan.

Yes, if you are on the classic GoDaddy hosting plan, then the latest PHP version available is 5.4. However, even with the new cPanel plans, the latest PHP version available is 5.6, even though Wordpress recommends PHP 7 as the minimum. I hope everyone who is a GoDaddy customer can encourage GoDaddy to offer PHP 7 either by sending support an email or posting on their community forum.
https://www.godaddy.com/community

Just want to add: Running an older version of PHP is not necessarily insecure. They have almost certainly applied backported security fixes (as I noted in the post above). I'd also add that compatibility for large mega-hosts like godaddy is a huge issue. They can't just bump everyone up to PHP7. It would cause chaos and break a lot of legacy code. I'm all for moving forward and supporting PHP7, but risk mitigation is also something the larger hosts have to consider.

But by all means, make your voice heard and that way you'll get PHP 7 as an option on their hosting plans rather sooner than later.

Mark- you don't have to post this... I just thought your "whackamole" comment was great. :) We could change wackamole to whack-a-server. Whack-a-server - the game that let's you whack a hacker - coming soon to a server near you. :) Thanks for all the hard work you guys do.

You should do a post on the hosting services that do keep up to date on all security updates. Once word gets out that certain hosting companies didn't make the list, it might get them to pay attention. You could also do a "best of the best" list.

I also noticed a comment on a certain gator company... that is worrisome.

Great post. I realize you might not want to be in the ISP endorsing business, but elaborating on what Eric said, I'd love to see a list of sites that meet the following criteria, in more or less descending priority, but all important. I come from the point of view of an individual blogger, with a minimal budget for money and time.

a) Meets WordFence security criteria, including providing and SSL certificate.
b) At least partially specifically caters to WordPress hosting, with knowledgeable tech support.
c) Has 24 hr phone / ticket / email tech support (preferably all three). Good phone support is important in a crisis.
d) Offers managed mode where they update core files. Some may disagree but this is better for less technical users or those who want less hassle. Users should have the option to manage all their own files as well, but these two are usually mutually exclusive.
e) Does NOT require annual payment up front. This is important for smaller operators who find it difficult to come up with a $ 200 - $300 ish ISP payment lump sum once a year. Monthly payments are better. Notice I didn't say free. In my opinion, you won't get the type of support I'm describing for free.
f) Good reputation in the industry for customer service and reliability.

If this list was kept up to date, that would be even more fabulous. Since your security criteria are at the top of the list, you guys would be a great company to do this. (wink wink)

If I knew of a company with these attributes, I'd probably switch from the one I have now. No, I'm not stating their name. What I will say, though, is when they update the core files in managed mode, they put a "limit login attempts" plugin into the plugins-mu (I think) folder in the file system. This means "must use". You cannot see this plugin in the normal list and cannot disable or remove it. But, its settings are available in the WordPress settings menu. It's running, and it conflicts with WordFence login security settings. I've had to contact the ISP twice and have their tech people remove this item. Also, when they do updates, I end up with a number of unwanted inactive themes and plugins in the system that I have to go and delete.

I am on the verge of rebuilding the 3rd hacked website since 2015.. all our sites are hosted with hostgator. whether they are one of the three or not, i am in the market for reseller hosting that is super secure.

Must say majority don't update because customers have outdated WordPress, themes and plugins. Along with end of life dependencies no longer supported makes it difficult to keep the old legacy stuff going. ea56 is at end of life. Already messy and it's going to get ugly!

Maybe old school html was not so bad after all... Especially for those who never maintain their website.

And after 30 years in the commercial web business I must say all we are doing is keeping the honest honest. Service providers never take you eyes off the wheel and don't have a hart attack when you reboot.... Lord only knows what can happen!

I am with 1&1 on a few pro accounts (shared) for 30 WP sites, and have been after them to upgrade their MySQL version for months now. They still have 5.5.54 as the installed version as of today, which is a constant concern.

I am one of those that had my site hacked - and I'd never have known if it wasn't for Wordfence Premium alerting me to a new Admin User. I was so grateful that the team at Wordfence were able to clean and repair the site. Visually the web site was fine but a hacker had inserted code into numerous pages and it looked as if they were getting free web hosting on the back of my account. I tackled my web host about security as it seemed the hacker could gain ftp access at will and upload anything they liked. They said, "please be advised that the security and management provided with the xxxxx Hosting is related to the server, and the website's security is still the duty of the customers, so we can't advise or prevent attacks targeting the website files and databases itself." This leaves me feeling vulnerable. I had got so used to doing everything via the Wordpress Dashboard I never checked the server files using ftp - but there were lots I'd never uploaded. I'm off to find a host that offers tighter security and https.
Thanks for all your help.
Iain

One of the greatest provider in Germany did write emails to some of my clients that there was a hack on wflogs/attack-data.php. The provider told me then that he want talk with you about it and they want find a solution with you - is that right?

I think you're referring to an incident yesterday where 1&1 hosting flaggd attack-data.php as a false positive. From our internal discussion: "1&1 Sent out a false positive warning and locked down attack-data.php in wflogs. It sounds like they have corrected it at this point but it may take a few hours before their fix comes in effect."

So a hosting company accidentally detected a Wordfence file as malicious and fixed it in a few hours after working with us. It's unrelated to the post above.

Please excuse this error and any inconvenience caused by this false alarm.
We confirm that your file /wp-content/wflogs/attack-data.php does not contain any malicious code. The scanner made a mistake in the previous scan.
The database for the 1&1 Safety Scanner has now been corrected.
If the file still exists in your WebSpace, we changed the file-permissions back to the old value.
If you should require further information, please reply to this e-mail, leaving our reference [removed] in your message. You can also call us at [removed], from Monday-Friday, 11:00am-22:00pm.
We appreciate your cooperation and look forward to continuing to provide you safe and secure hosting.
Best regards,
Hosting Security
--
1&1 Internet Ltd.

It boils down to the old saying, you get what you pay for. With the drop in price over the years for dedicated servers I've seen so many company's pop up offering cheap forms of VM hosting yet their skills on setting up a secure server environment are lacking to say the least. FTP being the most common by far. I think Mark touched on this with a user being able to read other users directory's. I use only FreeBSD jails now for many years for a dedicated site tied to a single ip address. If I offered shared hosting the server would be setup completely different. Biggest problem I found was people using wordpress wanting security levels I applied lowered as some plugin was not working correctly. Wordfence has always been the first thing I've installed on a base install and yet I've come across people deactivating it because of some problem on their sites. Madness !
Keep up the good work Mark , enjoy reading your articles.

In the past, I had a cheap hosting company and paid for it dearly, my site got hacked, the hosting company got hacked, nothing was secure. I had to start over after a deep dive into local hosting services.

When I asked the new hosting company how they managed their security they advised me that they did NOT keep their backups on the same server as my site. That's an important security feature to consider. Great information here, Mark. Thanks.

I see some people writing how they have to piece back together hacked websites-you don't have to live this way. Use good security like wordfence and then if a site still gets hacked - if you have blogvault you can restore your site in no time by clicking through. They save backups for a long time, too. if you have not made a lot of changes you can go back to a safe copy. I would never ever have a site without using them. And a lot of developers love living this risky life because in my 20 years of building websites I have NEVER had a site come to me with backup installed. I don't work for blog vault - that software has just saved my butt over and over and over again so I thought I would share with the community. Safe wordpressing everyone!!

Jennifer, couldn't agree more. Backups should be part of every site's maintenance plan. Unfortunately it usually take one minor or major rebuild before a backup plan becomes part of the maintenance program.

Are there any web hosts that implement firewall rules to thwart most of the malicious traffic prior to it even hitting the website or Wordfence?

All of these websites left to defend themselves on their own? The smart ones using Wordfence of course, but it would be beneficial to the webhost and all of its users to block known malicious traffic at a higher level, blocking known malicious requests at a higher level before php even kicks in? Especially if a site isn't up to date this would be a huge benefit.

Seems like fish in a barrel to leave these sites on their own out there.....

Unfortunately that is the situation for the most part Bob. Some hosts use mod_security to protect their customer sites, but the rules aren't WordPress specific and aren't kept up-to-date in real-time. As far as I'm aware, most hosts use nothing.

You can use cloudflare to mitigate a lot of bad traffic with page rules and I set up nginx with naxsi rules and specific rules for wordpress. I also limit PHP to allow_url_fopen=Off and allow_url_include=Off. Also use route in rc.conf to block certain ip blocks that appear here on wordfence. So there is a lot server side you can do to mtigate any attack vector. I use freebsd jails.

Yes, use cloudflare/wordfence etc... for firewall rules and/or use LINUX... Google: Linux Firewall rules. Its easy to setup but you need root access to the linux machine.. Do you have it?? There are lists of known Bots and ipaddresses that are considered malware etc.. And please use a git repo... In case a hacker changes your code you know what was changed..

Not sure how you feel about a partisan approach, but I'd appreciate some hosting recommendations - not just who has the best security practices but who has also demonstrated good response (like the sites you mention) since no approach is probably bulletproof. I'm seeking out a new provider... Thanks!

Have you tried digitalocean? 5-10 dollars per month... You can lock down you site with ease or just host your WP site on appengine... Then be done with it. Seriously, cloud computing is here its time to jump on the bandwagon. Theres a reason why Godaddy does not provide PCI Complient servers anymore... its the way their hosting is setup.... Folks i don't mean to be a smart ass but have you heard of Amazon Cloud? Its not going to protect by itself but shared web hosting is always going to be a risk.. Its the nature of it...

I would mention an important point to "the last version" of PHP. Some hosting let you choose your version of PHP so you can choose (if you really want to live dangerously) one that is not supported for already 4 (!) years. Example PHP 5.3 http://php.net/eol.php the default (!) option, for compatibility issues I suppose. I could also choose 5.4, 5.5 which are also no longer supported. They push the decision to you.

I would add that not the latest version is important but at least a supported version (branch) with all patches to date. I might prefer to use the version before the last one, it might be more stable, like one would consider for the operating systems. In the specific case of PHP there is some discussion about what features would work in 7.0 and not in 5.6 for example, both are maintained.

Thanks for the post! I've actually narrowed down my selection to a hosting company that is costly on the price ($100 a month) but from my research it appears that they are a premium when it comes to good hosting. I've been mulling over this decision for months now since I am launching my new blog next week.

I'm wondering if the issue you mentioned with one hosting account having access to other directory structures within another hosting account is something that is more common on SHARED hosting? I don't believe this would be an issue with VPS and obviously not an issue with a Dedicated instance.

Do you agree that VPS is probably the preferred hosting option to mitigate these kinds of security vulnerabilities?

It's all about correct configuration of the server, I personally have all user accounts set with a umask of 27 and that user account would also be set nologin thereby not allowing ssh access but allowing sftp if needed.
$100 a month is not a lot if you have a good sysadmin who knows his beans. Personally I build all my vps ( jails ) from scratch and from source using libressl, Yes it's time consuming to setup initially but each vps is basically your own dedicated server on it's own ip and cloned daily with zfs snaphots.

Dean, I've been doing this for years (pro blogger) and have never found a hosting company that's adequate for less than around $90/month. This be for virtual server with several websites, medium level traffic (~10,000 uniques a day, excluding bots) that spikes. For that kind of money you should be able to get pretty much 24/7 tech support, which is essential for those of us who would rather write blog posts than configure our own hosting, though if you're a one-person show you'll be forced to learn at least something about hosting so you can make intelligent choices.

One thing Mark left out of this is your server should have some kind of firewall that's configurable with the help of the hosting company tech support. This is separate from Wordfence and protects against things like SFTP and FTP login brute forcing. Or at least that's my understanding.

One of the things I have seen with a lot of shared hosting (virtual) servers: if you have root access to the server (non Cpanel) you can see the network traffic on the (shared) interface(s) using either ngrep or tcpdump for all accounts on that server.
I know there are issues totally separating traffic for all of the accounts on a server, but I know it can be done, it scared the crap out of me.
A test for this should be included and should be made question #6.

I think you need root to put the interface in promiscuous mode to be able to use tcpdump to see all traffic. Even if you have ssh and shell access, and a tcpdump binary, you shouldn't be able to see all traffic.

They will not release the list. But you can assume that the majority of sites hacked out there are ones on Shared Web hosting solutions such as godaddy. I've seen alot of hacked websties on these sites because once a hacker has root access ALL the sites can be hacked. Just use digitalocean its 5-10 dollars per month and you can setup the security features you need. They have great tutorials and trust me its not worth the time and money using these Shared Hosting solutions anymore... THE CLOUD is here folks time to jump on it..

We use Enta.net who are so far behind on everything we can't even install plugins or update WordPress, not without a overriding the SSL auth check. We were told 2 years ago we were on an old server but they refuse to update. Appalling.

Thanks for the great article; price and features are what concerns most people and security is so often overlooked. I would agree with others that an article about the highest-ranking hosting providers in security would be very valuable!

I use Wordfence myself and I know you guys are always on top of things. Would really like to hear your opinion on the most secure hosts. I don't think any hosting companies provide Malware Removal, do they? I did see that WPX Hosting have just introduced malware removal for free though. Have you heard of them?

I will be directing other people with security concerns to this article. Thanks again and would really like to hear your thoughts on the best secured hosts!

I see a lot of host bashing going on when things like this happen, and yes there are some terrible bedroom hosts out there who have no idea what they are doing, and have no security on their servers, but a lot of hosts are stuck between a rock and a hard place when it comes to keeping servers up to date. More often than not it is the customers themselves who stop them from updating servers as they refuse to take security seriously and refuse update their sites despite all the warnings, so they cannot be moved to another server and the server they are on cannot be updated or the host risks losing all those customers. And then when their site gets hacked, due to their decision not to update it, and stay on outdated servers and technology, they are the first to complain.
Did you know that according to research 75% of websites have been hacked?
Some customers do not care even after they have been hacked, they still are prepared to spend any money on their website or hosting to keep it secure, and it will happen again and again.

I used to run a hosting company myself until last year, so I do have first hand experience of this, and here is one example.

We originally used to run an old hosting control panel called HELM, which had reached end of life and was no longer supported, but most hosts kept it going for many years after its death as it was a good system. But then the day came that Windows Server 2003 also reached end of life, and HELM did not run on any newer version of Windows, so it had to go, as did all the servers it was running on, as it is not safe to keep them online. On top of the OS, these servers also had other old and vulnerable software like ColdFusion 6/7, PHP 5.2, etc.

We actually spent about 2 years trying to get customers off these old servers and onto our new ones, with dire warnings about the serious vulnerabilities, and we finally announced they would be turned off 9 months in advance of the windows 2003 EOL. We even offered to get sites fixed for the customers at a reasonable rate.

We sent monthly reminders, we put a notice on every outgoing email (tickets, invoices, billing reminders, everything), on the ticket system itself, on the control panel login page, literally every place possible, so it was literally impossible to not be aware of it. Yet still a number of the customers on those servers ignored the notice and did nothing, and the day the servers were turned off, their sites of course went offline, and the complaints started.

Amazingly rather than address the actual issue, a lot of these customers instead went looking for crappy hosts that were still running and supporting Windows 2003 and the old and outdated tech. So they were happy to take the risks of being hacked and having data stolen, just to avoid having to do the work in updating their sites.
So we literally had 2 choices, either continue running these insecure servers indefinitely for the sake of keeping those remaining customers, running an EOL operating system, or turn them off and lose the customers. For a small host this is not an easy decision.

I am quite glad to be out of that business now, instead I now do Managed Services, and as part of that I offer managed hosting using other hosting providers. I monitor, maintain and manage the websites for the clients, keeping them up to date and malware free, and making sure the servers are up to date as well. If there is any problem with the host, I just move the customers site elsewhere for them.

I'd recommend using Amazon EC2, google compute, digitalocean, cloudflare, etc.... Its much easier then dealing with a shared webhosting solutions like GoDaddy (and cheaper)... Also, you can choose what version of PHP X , mysql x , phpmyadmin X you want to have. I have all the latest versions. Its also easy to setup a LAMP stack on these cloud servers now a days. I spend less then 20 dollars a month and have the best hosting solution(One that is private) with a load balancer.
My setup includes: PHP7, SSH (key access only and restricted to ip addresses), Apache running as WWW user, GIT repo(private), SFTP(keyaccess only), log files saved offline for ever, phpmyadmin can only be accessed via SSH key forwarded through my local machine. I can update linux distro(Debian Managed by Google)as I see fit and with my git repo i have a backup of my wordpress site. Cloudflare helps with botnets brute force attacks and I have wordfence for scripting hacks....
Contact me if you need help..

As usually, great post.
The only issue I see that a hosting company will answer you "yes, of course" to all your questions.
So only some kind of security rating from Wordfence and other security companies and organizations may help.

I've been going through this for 6-7 months now with my hosting company, WebhostingPad. Back in October/November, a group of wannabe hackers hacked in through the CPanel. The company put the blame on me for it happening and told me to change my passwords. Being a newbie to all of this, I went ahead and did it. I decided to do the right thing and change every password for from FTP to CPanel to Email on that account to even my personal things from email to Instagram to Twitter, etc. Each password was different and NOT stored in my browser and I even did 2-step verification on anything that allowed it.

Fast forward about three weeks later and BOOM, my site gets hacked again via the CPanel. This time I google the name that appeared on my website and saw a facebook post from the week before and clicked on it. The link went to the facebook page of WebhostingPad and my name along with roughly 20 more usernames of the CPanel for them are listed on the post from the little hacking group telling WebhostingPad that they used a security flaw to compromise all of us. That post had been on my hosts facebook page for a week and they hadn't deleted the comment nor checked to see what had happened until I sent in a support ticket reaming their behinds. After a back and forth about how they are going to stop this, they suspend my account! LOL. WTH, I alert the HOST about their insecure CPanel and the suspend me because I'm a little irate that this has happened twice within a month for them being inept. So, I complain again and my account is restored. I go through the process of changing ALL my passwords again and decide to scrap everything and start from scratch, so they wipe my account completely and scan it for anything that might be improper. They reply back saying that they've updated their CPanel and that it should not happen again.

Now, I've been fine for a few months until yesterday while I was at work I get a notice that my password has been changed on the CPanel. Unfortunately, I can;t drop everything while at work, so I respond to a support ticket real quick that I had in my email to let them know that I did NOT request a password change. Then, I go to my site and I get a file directory page that has nothing, but a file called dress.php on it. GRRRR.

When I get home, I contact them and ask what am I requesting them to do. Do I just want them to change the password since I can't login? NOOO! I want them to figure out how the hell the CPanel keeps getting hacked because I have no confidence that they are on top of anything. Luckily, my plan expires in June, so I'm going pay the extra money for a better host service provider when I switch. I'm probably going to switch my URL as well.